Accepting request 873406 from home:jsegitz:branches:network

- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
  as root via password by default (is also upstream default). Comment
  indicates that this was a temporary meassure that we now had for 
  five years, time to get rid of it (bsc#1173067)

OBS-URL: https://build.opensuse.org/request/show/873406
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=229
This commit is contained in:
Dirk Mueller 2021-04-17 14:22:02 +00:00 committed by Git OBS Bridge
parent 4b2c4475a9
commit d13558019e
4 changed files with 8 additions and 66 deletions

View File

@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
* PAM authentication is enabled and mostly even required, do not turn it off. * PAM authentication is enabled and mostly even required, do not turn it off.
* root authentiation with password is enabled by default (PermitRootLogin yes).
NOTE: this has security implications and is only done in order to not change
behaviour of the server in an update. We strongly suggest setting this option
either "prohibit-password" or even better to "no" (which disables direct
remote root login entirely).
* DSA authentication is enabled by default for maximum compatibility. * DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot - the size of DSA keys is limited by the standard to 1024 bits which cannot

View File

@ -1,59 +0,0 @@
# HG changeset patch
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
Allow root login with password by default. While less secure than upstream
default of forbidding access to the root account with a password, we are
temporarily introducing this change to keep the default used in older OpenSSH
versions shipped with SLE.
Index: openssh-8.4p1/servconf.c
===================================================================
--- openssh-8.4p1.orig/servconf.c
+++ openssh-8.4p1/servconf.c
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
Index: openssh-8.4p1/sshd_config
===================================================================
--- openssh-8.4p1.orig/sshd_config
+++ openssh-8.4p1/sshd_config
@@ -29,7 +29,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Index: openssh-8.4p1/sshd_config.0
===================================================================
--- openssh-8.4p1.orig/sshd_config.0
+++ openssh-8.4p1/sshd_config.0
@@ -778,7 +778,7 @@ DESCRIPTION
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, forced-commands-only, or no. The
- default is prohibit-password.
+ default is yes.
If this option is set to prohibit-password (or its deprecated
alias, without-password), password and keyboard-interactive
Index: openssh-8.4p1/sshd_config.5
===================================================================
--- openssh-8.4p1.orig/sshd_config.5
+++ openssh-8.4p1/sshd_config.5
@@ -1331,7 +1331,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm yes .
.Pp
If this option is set to
.Cm prohibit-password

View File

@ -5,6 +5,14 @@ Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
/usr/share/ssh/ (openssh-8.4p1-vendordir.patch) /usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
- Move configuration files from /etc/ssh/ to /usr/share/ssh/ - Move configuration files from /etc/ssh/ to /usr/share/ssh/
-------------------------------------------------------------------
Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
as root via password by default (is also upstream default). Comment
indicates that this was a temporary meassure that we now had for
five years, time to get rid of it (bsc#1173067)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com> Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

View File

@ -58,7 +58,6 @@ Source11: README.FIPS
Source12: cavs_driver-ssh.pl Source12: cavs_driver-ssh.pl
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf Source14: sysusers-sshd.conf
Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch Patch4: openssh-7.7p1-eal3.patch